@tailor-platform/sdk 1.62.0 → 2.0.0-next.0

package/dist/cli/index.mjs

@@ -3,8 +3,8 @@
 import { Et as AuthInvokerSchema, L as CustomDomainStatus, Nt as PATScope, Q as FunctionExecution_Type, _ as userAgent, a as fetchAll, c as fetchPlatformMachineUserToken, d as initOAuth2Client, f as initOperatorClient, l as fetchUserInfo, r as closeConnectionPool, s as fetchPaged } from "../client-CobIRHl-.mjs";
 import { t as assertDefined } from "../assert-CKfwrmCV.mjs";
 import { n as logger, r as styles } from "../logger-DpJyJvNz.mjs";
-import { $ as listCommand$10, $t as INITIAL_SCHEMA_NUMBER, An as configArg, At as startCommand, B as logBetaWarning, C as listCommand$13, Cn as generateUserTypes, Dn as assertWritable, Dt as jobsCommand, E as resumeCommand, F as writeDbTypesFile, Fn as paginationArgs, Gt as MIGRATION_LABEL_KEY, H as removeCommand$1, Ht as executeScript, I as getConfiguredEditorCommand, In as toPageDirection, Jt as compareSnapshotWithRemote, K as treeCommand, Kt as handleOptionalToRequiredError, L as openInConfiguredEditor, Ln as workspaceArgs, Lt as functionExecutionStatusToString, Mn as deploymentArgs, Mt as getCommand$6, N as generateCommand$1, Nn as isVerbose, O as listCommand$12, On as defineAppCommand, P as generateMigrationScript, Pn as pagedLogArgs, Pt as executionsCommand, Rt as formatKeyValueTable, Sn as PluginManager, St as triggerCommand, T as healthCommand, Tn as apiCommand, U as updateCommand$3, Vt as deploy, Xt as protoGqlPermission, Y as getCommand$5, Yt as generateAllTypeManifestsFromSnapshot, Z as updateCommand$2, _n as formatMigrationDiff, an as createSnapshotFromLocalTypes, at as createCommand$3, b as createCommand$4, bn as resourceTrn, c as listCommand$14, cn as getMigrationFilePath, dn as isValidMigrationNumber, f as restoreCommand, fn as loadDiff, ft as tokenCommand, g as getCommand$7, gt as listCommand$7, hn as parseMigrationNumberArg, ht as generate, i as updateCommand$4, j as truncateCommand, jn as confirmationArgs, kn as commonArgs, ln as getMigrationFiles, lt as getCommand$3, m as listCommand$15, mn as formatMigrationNumber, nn as assertValidMigrationFiles, o as removeCommand, on as getLatestMigrationNumber, pn as reconstructSnapshotFromMigrations, pt as listCommand$8, q as listCommand$11, qt as parseMigrationLabelNumber, r as queryCommand, rn as compareLocalTypesWithSnapshot, rt as deleteCommand$3, st as listCommand$9, t as isNativeTypeScriptRuntime, tt as getCommand$4, u as inviteCommand, v as deleteCommand$4, vn as hasChanges, vt as getCommand$2, wn as prompt, wt as listCommand$6, xn as sdkNameLabelKey, xt as webhookCommand, yn as getNamespacesWithMigrations, z as showCommand, zt as getCommand$1 } from "../runtime-C6o4hiYq.mjs";
-import { A as resolveTokens, C as loadConfig, E as loadAccessToken, M as writePlatformConfig, O as loadWorkspaceId, T as fetchLatestToken, _ as createLogLevelTreeshakeOptions, a as WorkflowJobSchema, b as getDistDir, c as INVOKER_EXPR, g as composeFunctionTreeshakeOptions, h as platformBundleDefinePlugin, i as resolveInlineSourcemap, j as saveUserTokens, k as readPlatformConfig, o as ResolverSchema, t as defineApplication, v as resolveBundleLogLevel, w as deleteUserTokens, x as hashContent } from "../application-BezXGbrU.mjs";
+import { $ as listCommand$10, $t as INITIAL_SCHEMA_NUMBER, An as commonArgs, At as startCommand, B as logBetaWarning, C as listCommand$13, Cn as PluginManager, Dt as jobsCommand, E as resumeCommand, En as apiCommand, F as writeDbTypesFile, Fn as pagedLogArgs, Gt as MIGRATION_LABEL_KEY, H as removeCommand$1, Ht as executeScript, I as getConfiguredEditorCommand, In as paginationArgs, Jt as compareSnapshotWithRemote, K as treeCommand, Kt as handleOptionalToRequiredError, L as openInConfiguredEditor, Ln as toPageDirection, Lt as functionExecutionStatusToString, Mn as confirmationArgs, Mt as getCommand$6, N as generateCommand$1, Nn as deploymentArgs, O as listCommand$12, On as assertWritable, P as generateMigrationScript, Pn as isVerbose, Pt as executionsCommand, Rn as workspaceArgs, Rt as formatKeyValueTable, Sn as sdkNameLabelKey, St as triggerCommand, T as healthCommand, Tn as prompt, U as updateCommand$3, Vt as deploy, Xt as protoGqlPermission, Y as getCommand$5, Yt as generateAllTypeManifestsFromSnapshot, Z as updateCommand$2, _n as formatMigrationDiff, an as createSnapshotFromLocalTypes, at as createCommand$3, b as createCommand$4, bn as ensureConfigId, c as listCommand$14, cn as getMigrationFilePath, dn as isValidMigrationNumber, f as restoreCommand, fn as loadDiff, ft as tokenCommand, g as getCommand$7, gt as listCommand$7, hn as parseMigrationNumberArg, ht as generate, i as updateCommand$4, j as truncateCommand, jn as configArg, kn as defineAppCommand, ln as getMigrationFiles, lt as getCommand$3, m as listCommand$15, mn as formatMigrationNumber, nn as assertValidMigrationFiles, o as removeCommand, on as getLatestMigrationNumber, pn as reconstructSnapshotFromMigrations, pt as listCommand$8, q as listCommand$11, qt as parseMigrationLabelNumber, r as queryCommand, rn as compareLocalTypesWithSnapshot, rt as deleteCommand$3, st as listCommand$9, t as isNativeTypeScriptRuntime, tt as getCommand$4, u as inviteCommand, v as deleteCommand$4, vn as hasChanges, vt as getCommand$2, wn as generateUserTypes, wt as listCommand$6, xn as resourceTrn, xt as webhookCommand, yn as getNamespacesWithMigrations, z as showCommand, zt as getCommand$1 } from "../runtime-C7qTBDD2.mjs";
+import { A as readPlatformConfig, C as loadConfig, E as loadAccessToken, M as saveUserTokens, N as writePlatformConfig, O as loadMachineUserName, T as fetchLatestToken, _ as createLogLevelTreeshakeOptions, a as WorkflowJobSchema, b as getDistDir, c as INVOKER_EXPR, g as composeFunctionTreeshakeOptions, h as platformBundleDefinePlugin, i as resolveInlineSourcemap, j as resolveTokens, k as loadWorkspaceId, o as ResolverSchema, t as defineApplication, v as resolveBundleLogLevel, w as deleteUserTokens, x as hashContent$1 } from "../application-76hhIhnJ.mjs";
 import { n as ExecutorSchema } from "../service-wI3Hvrgx.mjs";
 import { t as multiline } from "../multiline-Cf9ODpr1.mjs";
 import { r as isPluginGeneratedType } from "../seed-BH2FbrPV.mjs";
@@ -24,6 +24,7 @@ import { generateCodeVerifier } from "@badgateway/oauth2-client";
 import { Code, ConnectError } from "@connectrpc/connect";
 import { resolvePackageJSON, resolveTSConfig } from "pkg-types";
 import * as crypto from "node:crypto";
+import { createHash } from "node:crypto";
 import * as http from "node:http";
 import open from "open";
 import * as rolldown from "rolldown";
@@ -1399,7 +1400,7 @@ const testRunCommand = defineAppCommand({
 		}),
 		"machine-user": arg(z.string().optional(), {
 			alias: "m",
-			description: "Machine user name for authentication",
+			description: "Machine user name for authentication. Falls back to the active profile's default machine user.",
 			env: "TAILOR_PLATFORM_MACHINE_USER_NAME"
 		}),
 		config: arg(z.string().default("tailor.config.ts"), {
@@ -1433,7 +1434,11 @@ When a \`.js\` file is provided, detection and bundling are skipped and the file
 		if (!fs$1.existsSync(filePath)) throw new Error(`File not found: ${filePath}`);
 		const { config } = await loadConfig(args.config);
 		const authNamespace = resolveAuthNamespace(config.auth);
-		const machineUserName = resolveMachineUserName(args["machine-user"], config.auth);
+		const machineUserName = await resolveMachineUserName({
+			cliMachineUser: args["machine-user"],
+			profile: args.profile,
+			authConfig: config.auth
+		});
 		const client = await initOperatorClient(await loadAccessToken({ profile: args.profile }));
 		const workspaceId = await loadWorkspaceId({
 			workspaceId: args["workspace-id"],
@@ -1541,13 +1546,18 @@ function resolveAuthNamespace(authConfig) {
 	throw new Error("Auth namespace is required. Ensure tailor.config.ts has an auth config.");
 }
 /**
-* Resolve machine user name from CLI args or config. Priority: --machine-user > first key of config.auth.machineUsers
-* @param cliMachineUser - CLI --machine-user value
-* @param authConfig - Auth configuration from tailor.config.ts
+* Resolve machine user name from CLI args, profile default, or config.
+* Priority: --machine-user / env > profile default > first key of config.auth.machineUsers > error
+* @param options - Resolution options
 * @returns Resolved machine user name
 */
-function resolveMachineUserName(cliMachineUser, authConfig) {
-	if (cliMachineUser) return cliMachineUser;
+async function resolveMachineUserName(options) {
+	const { cliMachineUser, profile, authConfig } = options;
+	const resolved = await loadMachineUserName({
+		machineUser: cliMachineUser,
+		profile
+	});
+	if (resolved) return resolved;
 	if (authConfig && !("external" in authConfig && authConfig.external)) {
 		const machineUsers = authConfig.machineUsers;
 		if (machineUsers) {
@@ -1555,7 +1565,7 @@ function resolveMachineUserName(cliMachineUser, authConfig) {
 			if (keys.length > 0) return assertDefined(keys[0], "machine user key missing");
 		}
 	}
-	throw new Error("Machine user is required. Provide --machine-user or ensure tailor.config.ts has machine users configured.");
+	throw new Error("Machine user is required. Provide --machine-user, set TAILOR_PLATFORM_MACHINE_USER_NAME, set a profile default with 'tailor-sdk profile update <profile> --machine-user <name>', or ensure tailor.config.ts has machine users configured.");
 }
 /**
 * Resolve full machine user info: name, id (from API), and attributes (from config).
@@ -1973,9 +1983,15 @@ const createCommand$2 = defineAppCommand({
 			alias: "w",
 			description: "Workspace ID"
 		}),
-		permission: arg(z.enum(["write", "read"]).default("write"), { description: "Profile permission. 'read' blocks all write commands while the profile is active." })
+		permission: arg(z.enum(["write", "read"]).default("write"), { description: "Profile permission. 'read' blocks all write commands while the profile is active." }),
+		"machine-user": arg(z.string().optional(), {
+			alias: "m",
+			description: "Default machine user name for application-data commands (query, workflow start, function test-run, machineuser token)."
+		}),
+		"machine-user-override": arg(z.enum(["allow", "deny"]).optional(), { description: "Whether the command line or TAILOR_PLATFORM_MACHINE_USER_NAME may override the profile's machine user. 'deny' requires --machine-user." })
 	}).strict(),
 	run: async (args) => {
+		if (args["machine-user-override"] === "deny" && !args["machine-user"]) throw new Error("--machine-user-override deny requires --machine-user.");
 		const config = await readPlatformConfig();
 		if (config.profiles[args.name]) throw new Error(`Profile "${args.name}" already exists.`);
 		const client = await initOperatorClient(await fetchLatestToken(config, args.user));
@@ -1989,7 +2005,9 @@ const createCommand$2 = defineAppCommand({
 		config.profiles[args.name] = {
 			user: args.user,
 			workspace_id: args["workspace-id"],
-			...args.permission === "read" ? { readonly: true } : {}
+			...args.permission === "read" ? { readonly: true } : {},
+			...args["machine-user"] ? { machine_user: args["machine-user"] } : {},
+			...args["machine-user-override"] === "deny" ? { machine_user_override: "deny" } : {}
 		};
 		writePlatformConfig(config);
 		if (!args.json) logger.success(`Profile "${args.name}" created successfully.`);
@@ -1997,7 +2015,11 @@ const createCommand$2 = defineAppCommand({
 			name: args.name,
 			user: args.user,
 			workspaceId: args["workspace-id"],
-			permission: args.permission
+			permission: args.permission,
+			...args["machine-user"] ? {
+				machineUser: args["machine-user"],
+				machineUserOverride: args["machine-user-override"] ?? "allow"
+			} : {}
 		};
 		logger.out(profileInfo);
 	}
@@ -2045,7 +2067,11 @@ const listCommand$4 = defineAppCommand({
 				name,
 				user: p.user,
 				workspaceId: p.workspace_id,
-				permission: p.readonly === true ? "read" : "write"
+				permission: p.readonly === true ? "read" : "write",
+				...p.machine_user ? {
+					machineUser: p.machine_user,
+					machineUserOverride: p.machine_user_override ?? "allow"
+				} : {}
 			};
 		});
 		logger.out(profileInfos);
@@ -2070,17 +2096,28 @@ const updateCommand$1 = defineAppCommand({
 			alias: "w",
 			description: "New workspace ID"
 		}),
-		permission: arg(z.enum(["write", "read"]).optional(), { description: "Profile permission. 'read' blocks all write commands; 'write' lifts the restriction." })
+		permission: arg(z.enum(["write", "read"]).optional(), { description: "Profile permission. 'read' blocks all write commands; 'write' lifts the restriction." }),
+		"machine-user": arg(z.string().optional(), {
+			alias: "m",
+			description: "Default machine user name for application-data commands (query, workflow start, function test-run, machineuser token). Pass an empty string to clear."
+		}),
+		"machine-user-override": arg(z.enum(["allow", "deny"]).optional(), { description: "Whether the command line or TAILOR_PLATFORM_MACHINE_USER_NAME may override the profile's machine user. 'deny' requires --machine-user; 'allow' lifts the restriction." })
 	}).strict(),
 	run: async (args) => {
 		const config = await readPlatformConfig();
 		const profile = config.profiles[args.name];
 		if (!profile) throw new Error(`Profile "${args.name}" not found.`);
-		if (!args.user && !args["workspace-id"] && args.permission === void 0) throw new Error("Please provide at least one property to update.");
+		if (!args.user && !args["workspace-id"] && args.permission === void 0 && args["machine-user"] === void 0 && args["machine-user-override"] === void 0) throw new Error("Please provide at least one property to update.");
 		const oldUser = profile.user;
 		const newUser = args.user || oldUser;
 		const oldWorkspaceId = profile.workspace_id;
 		const newWorkspaceId = args["workspace-id"] || oldWorkspaceId;
+		const finalMachineUser = args["machine-user"] === "" ? void 0 : args["machine-user"] ?? profile.machine_user;
+		const finalOverride = args["machine-user-override"] === "allow" ? void 0 : args["machine-user-override"] ?? profile.machine_user_override;
+		if ((args["machine-user"] !== void 0 || args["machine-user-override"] !== void 0) && finalOverride === "deny" && !finalMachineUser) {
+			if (args["machine-user-override"] === "deny") throw new Error("--machine-user-override deny requires --machine-user.");
+			throw new Error(`Cannot clear the machine user while machine-user-override is "deny". Also pass --machine-user-override allow.`);
+		}
 		if (args.user !== void 0 || args["workspace-id"] !== void 0) {
 			const client = await initOperatorClient(await fetchLatestToken(config, newUser));
 			if (!(await fetchAll(async (pageToken, maxPageSize) => {
@@ -2095,13 +2132,21 @@ const updateCommand$1 = defineAppCommand({
 		profile.workspace_id = newWorkspaceId;
 		if (args.permission === "read") profile.readonly = true;
 		else if (args.permission === "write") delete profile.readonly;
+		if (args["machine-user"] !== void 0) if (args["machine-user"] === "") delete profile.machine_user;
+		else profile.machine_user = args["machine-user"];
+		if (args["machine-user-override"] === "deny") profile.machine_user_override = "deny";
+		else if (args["machine-user-override"] === "allow") delete profile.machine_user_override;
 		writePlatformConfig(config);
 		if (!args.json) logger.success(`Profile "${args.name}" updated successfully`);
 		const profileInfo = {
 			name: args.name,
 			user: newUser,
 			workspaceId: newWorkspaceId,
-			permission: profile.readonly === true ? "read" : "write"
+			permission: profile.readonly === true ? "read" : "write",
+			...profile.machine_user ? {
+				machineUser: profile.machine_user,
+				machineUserOverride: profile.machine_user_override ?? "allow"
+			} : {}
 		};
 		logger.out(profileInfo);
 	}
@@ -2564,33 +2609,159 @@ const secretCommand = defineCommand({
 });
 
 //#endregion
-//#region src/cli/commands/setup/github/deploy.workflow.yml
-var deploy_workflow_default = "name: Tailor Platform\n\non:\n  pull_request:\n    branches:\n      - main\n  push:\n    branches:\n      - main\n  workflow_dispatch:\n\nconcurrency:\n  group: tailor-__WORKSPACE_NAME__-${{ github.head_ref || github.ref }}\n  cancel-in-progress: ${{ github.event_name == 'pull_request' }}\n\njobs:\n  # __PLAN_JOB_START__\n  plan:\n    if: github.event_name == 'pull_request'\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      pull-requests: write\n    steps:\n      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      # __SETUP_STEPS__\n      - uses: tailor-platform/actions/plan@e63ed98630a23fa21ee0636abf0f7fb75fcdce40 # v1.1.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n  # __PLAN_JOB_END__\n  deploy:\n    if: github.event_name != 'pull_request'\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n    steps:\n      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - uses: tailor-platform/actions/deploy@e63ed98630a23fa21ee0636abf0f7fb75fcdce40 # v1.1.0\n        with:\n          workspace-name: __WORKSPACE_NAME__\n          workspace-region: __WORKSPACE_REGION__\n          organization-id: __ORGANIZATION_ID__\n          folder-id: __FOLDER_ID__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
+//#region src/cli/commands/setup/github/git.ts
+const defaultGitRunner = (args, cwd) => {
+	const result = spawnSync("git", args, {
+		cwd,
+		encoding: "utf-8"
+	});
+	if (result.status !== 0 || typeof result.stdout !== "string") return null;
+	return result.stdout.trim();
+};
+/**
+* Detect the remote default branch by reading `refs/remotes/origin/HEAD`.
+*
+* Throws an AI-first error (with a remediation hint) when the symbolic ref is
+* not set, so the caller can surface a clear next step instead of a silent
+* fallback.
+* @param cwd - Repository directory to inspect
+* @param run - Git runner, injectable for testing
+* @returns The default branch name (e.g. `main`)
+*/
+function detectDefaultBranch(cwd, run = defaultGitRunner) {
+	const ref = run([
+		"symbolic-ref",
+		"--short",
+		"refs/remotes/origin/HEAD"
+	], cwd);
+	const branch = ref?.startsWith("origin/") ? ref.slice(7) : ref;
+	if (!branch) throw new Error("Could not detect the default branch from git. Pass --branch <name>, or run 'git remote set-head origin --auto' to record it.");
+	return branch;
+}
+
+//#endregion
+//#region src/cli/commands/setup/github/lock.ts
+/** Current lock schema version. Bumped only on breaking lock-format changes. */
+const LOCK_VERSION = 1;
+/** Lock file path, relative to the repository root. */
+const LOCK_FILENAME = ".github/tailor-sdk.lock";
+/**
+* Compute the lock content hash for a rendered workflow file.
+* @param content - File content to hash
+* @returns `sha256:<hex>` digest string
+*/
+function hashContent(content) {
+	return `sha256:${createHash("sha256").update(content, "utf-8").digest("hex")}`;
+}
+/**
+* Resolve the absolute lock file path for an output directory.
+* @param outputDir - Repository root where `.github` lives
+* @returns Absolute path to the lock file
+*/
+function lockPath(outputDir) {
+	return path.join(outputDir, LOCK_FILENAME);
+}
+/**
+* Read and validate the lock file from disk.
+*
+* Returns null when no lock exists. Throws when the lock was written by a
+* newer SDK (forward-compatibility guard).
+* @param outputDir - Repository root where `.github` lives
+* @returns Parsed lock file, or null when absent
+*/
+function readLock(outputDir) {
+	const file = lockPath(outputDir);
+	if (!fs$1.existsSync(file)) return null;
+	let parsed;
+	try {
+		parsed = JSON.parse(fs$1.readFileSync(file, "utf-8"));
+	} catch (cause) {
+		throw new Error(`${LOCK_FILENAME} is not valid JSON. The lock file is machine-owned; restore it from git (git checkout -- .github/tailor-sdk.lock) and re-run setup.`, { cause });
+	}
+	if (typeof parsed.version !== "number") throw new Error(`${LOCK_FILENAME} has no valid 'version' field. The lock file is machine-owned; restore it from git (git checkout -- .github/tailor-sdk.lock) and re-run setup.`);
+	if (parsed.version > 1) throw new Error(`${LOCK_FILENAME} was written by a newer SDK (lock version ${String(parsed.version)}). Update @tailor-platform/sdk to continue (e.g. pnpm update @tailor-platform/sdk).`);
+	if (!Array.isArray(parsed.targets)) throw new Error(`${LOCK_FILENAME} has no valid 'targets' array. The lock file is machine-owned; restore it from git (git checkout -- .github/tailor-sdk.lock) and re-run setup.`);
+	return parsed;
+}
+/**
+* Write the lock file to disk (2-space JSON, trailing newline).
+* @param outputDir - Repository root where `.github` lives
+* @param lock - Lock file contents to serialize
+*/
+function writeLock(outputDir, lock) {
+	const file = lockPath(outputDir);
+	fs$1.mkdirSync(path.dirname(file), { recursive: true });
+	fs$1.writeFileSync(file, `${JSON.stringify(lock, null, 2)}\n`, "utf-8");
+}
+/**
+* Find a lock target by identity. Targets are identified by (kind,
+* workspaceName); the full trigger/path cross-check is deferred to P2.
+* @param lock - Lock file to search, or null
+* @param kind - Target kind
+* @param workspaceName - Workspace name
+* @returns Matching target, or undefined
+*/
+function findTarget(lock, kind, workspaceName) {
+	return lock?.targets.find((t) => t.kind === kind && t.workspaceName === workspaceName);
+}
+
+//#endregion
+//#region src/cli/commands/setup/github/branch.workflow.yml
+var branch_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  # __PULL_REQUEST_START__\n  pull_request:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  # __PULL_REQUEST_END__\n  push:\n    branches: [\"__BRANCH__\"]\n    # __PATHS__\n  workflow_dispatch:\n    # __DISPATCH_INPUTS_START__\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n    # __DISPATCH_INPUTS_END__\n\npermissions:\n  contents: read\n\njobs:\n  # __PLAN_JOB_START__\n  tailor-plan:\n    if: >-\n      github.event_name == 'pull_request' ||\n      (github.event_name == 'workflow_dispatch' && inputs['dry-run'])\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n      pull-requests: write\n    concurrency:\n      group: tailor-plan-__WORKSPACE_NAME__-${{ github.event.pull_request.number || github.run_id }}\n      cancel-in-progress: true\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-plan\n        # Fork PRs cannot read secrets; the checks above still run for them.\n        if: github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork\n        uses: tailor-platform/actions/plan@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n  # __PLAN_JOB_END__\n  tailor-deploy:\n    # __DEPLOY_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    environment: __ENVIRONMENT__\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
 
 //#endregion
 //#region src/cli/commands/setup/github/setup-bun.yml
-var setup_bun_default = "- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0\n- run: bun install --frozen-lockfile\n";
+var setup_bun_default = "- id: tailor-setup-bun\n  uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0\n- id: tailor-install\n  run: bun install --frozen-lockfile\n";
 
 //#endregion
 //#region src/cli/commands/setup/github/setup-npm.yml
-var setup_npm_default = "- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: npm\n- run: npm ci\n";
+var setup_npm_default = "- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: npm\n- id: tailor-install\n  run: npm ci\n";
 
 //#endregion
 //#region src/cli/commands/setup/github/setup-pnpm.yml
-var setup_pnpm_default = "- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8\n- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: pnpm\n- run: pnpm install --frozen-lockfile\n";
+var setup_pnpm_default = "- id: tailor-setup-pnpm\n  uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9\n- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: pnpm\n- id: tailor-install\n  run: pnpm install --frozen-lockfile\n";
 
 //#endregion
 //#region src/cli/commands/setup/github/setup-yarn.yml
-var setup_yarn_default = "- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: yarn\n- run: yarn install --frozen-lockfile\n";
+var setup_yarn_default = "- id: tailor-setup-node\n  uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0\n  with:\n    node-version-file: package.json\n    cache: yarn\n- id: tailor-install\n  run: yarn install --frozen-lockfile\n";
+
+//#endregion
+//#region src/cli/commands/setup/github/tag.workflow.yml
+var tag_workflow_default = "# __HEADER__\nname: Tailor (__WORKSPACE_NAME__)\n\non:\n  push:\n    tags: [\"__TAG_PATTERN__\"]\n  workflow_dispatch:\n    inputs:\n      dry-run:\n        description: Preview changes without deploying\n        type: boolean\n        default: false\n\npermissions:\n  contents: read\n\njobs:\n  # __TAG_GUARD_JOB_START__\n  tailor-tag-guard:\n    runs-on: ubuntu-latest\n    timeout-minutes: 10\n    permissions:\n      contents: read\n    outputs:\n      on-branch: ${{ steps.tailor-tag-guard.outputs.on-branch }}\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n        with:\n          fetch-depth: 0\n      - id: tailor-tag-guard\n        env:\n          TARGET_BRANCH: \"__BRANCH__\"\n        run: |\n          git fetch origin \"$TARGET_BRANCH\"\n          if git merge-base --is-ancestor \"$GITHUB_SHA\" \"origin/$TARGET_BRANCH\"; then\n            echo \"on-branch=true\" >> \"$GITHUB_OUTPUT\"\n          else\n            # A tag outside the target branch is not an error — just skip.\n            echo \"on-branch=false\" >> \"$GITHUB_OUTPUT\"\n            echo \"::notice::Tag $GITHUB_REF_NAME is not reachable from $TARGET_BRANCH; skipping deploy.\"\n          fi\n  # __TAG_GUARD_JOB_END__\n  tailor-plan:\n    # __PLAN_NEEDS__\n    # __PLAN_IF__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    environment: __ENVIRONMENT__\n    permissions:\n      contents: read\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-generate\n        # __WORKING_DIRECTORY__\n        run: __PM_EXEC__ tailor-sdk generate\n      - id: tailor-generate-check\n        run: |\n          git add -A\n          if ! git diff --cached --quiet; then\n            git --no-pager diff --cached --stat\n            echo \"::error::Generated files are out of date. Run 'tailor-sdk generate' locally and commit the result.\"\n            exit 1\n          fi\n      - id: tailor-plan\n        uses: tailor-platform/actions/plan@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          label: __WORKSPACE_NAME__\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n\n  tailor-deploy:\n    needs: tailor-plan\n    if: ${{ !(github.event_name == 'workflow_dispatch' && inputs['dry-run']) }}\n    environment: __ENVIRONMENT__\n    runs-on: ubuntu-latest\n    timeout-minutes: 30\n    permissions:\n      contents: read\n    concurrency:\n      group: tailor-deploy-__WORKSPACE_NAME__\n      cancel-in-progress: false\n    steps:\n      - id: tailor-checkout\n        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3\n      # __SETUP_STEPS__\n      - id: tailor-apply\n        uses: tailor-platform/actions/deploy@4d0f160b6b5cc2f02594776665471497c297181e # v1.2.0\n        with:\n          workspace-id: ${{ vars.TAILOR_PLATFORM_WORKSPACE_ID }}\n          # __WORKING_DIRECTORY__\n          platform-client-id: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID }}\n          platform-client-secret: ${{ secrets.TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET }}\n";
 
 //#endregion
-//#region src/cli/commands/setup/github/template-deploy.ts
+//#region src/cli/commands/setup/github/templates.ts
+const setupStepIds = {
+	pnpm: [
+		"tailor-setup-pnpm",
+		"tailor-setup-node",
+		"tailor-install"
+	],
+	yarn: ["tailor-setup-node", "tailor-install"],
+	npm: ["tailor-setup-node", "tailor-install"],
+	bun: ["tailor-setup-bun", "tailor-install"]
+};
 const setupSteps = {
 	pnpm: setup_pnpm_default,
 	yarn: setup_yarn_default,
 	npm: setup_npm_default,
 	bun: setup_bun_default
 };
+const execPrefix = {
+	npm: "npx",
+	pnpm: "pnpm exec",
+	yarn: "yarn",
+	bun: "bunx"
+};
+const HEADER = `# Generated by \`tailor-sdk setup github\` — managed by the Tailor SDK.
+#
+# - Jobs and steps whose id starts with \`tailor-\` are managed by the SDK.
+#   Do not edit or rename them.
+# - State is tracked in .github/tailor-sdk.lock (machine-owned: commit it, never edit it).
+# - Re-running \`tailor-sdk setup github\` regenerates this file. If you have
+#   edited it by hand, regeneration stops and asks for --force (which discards
+#   your edits), so prefer keeping customizations in your own jobs/steps and
+#   re-running setup after SDK updates.`;
 function indentSnippet(snippet, spaces) {
 	const indent = " ".repeat(spaces);
 	return snippet.trimEnd().split("\n").map((line) => line ? indent + line : line).join("\n");
@@ -2607,139 +2778,352 @@ function detectPackageManager(dir) {
 	if (fs$1.existsSync(path.join(dir, "package-lock.json"))) return "npm";
 	return "npm";
 }
+function block(content, name, keep) {
+	if (keep) return content.replace(new RegExp(`^ *# __${name}_(?:START|END)__\\n`, "gm"), "");
+	return content.replace(new RegExp(`^ *# __${name}_START__\\n[\\s\\S]*?^ *# __${name}_END__\\n`, "m"), "");
+}
+function line(content, name, replacement) {
+	const re = new RegExp(`^([ \\t]*)# __${name}__\\n`, "gm");
+	return content.replace(re, (_match, indent) => {
+		if (replacement === void 0) return "";
+		return replacement.split("\n").map((l) => l ? indent + l : l).join("\n") + "\n";
+	});
+}
+function applyCommon(content, params) {
+	const { workingDirectory, environment, packageManager } = params;
+	let out = line(content, "HEADER", HEADER);
+	out = line(out, "WORKING_DIRECTORY", workingDirectory ? `working-directory: ${workingDirectory}` : void 0);
+	out = out.replace(/^ *# __SETUP_STEPS__$/gm, () => indentSnippet(setupSteps[packageManager], 6));
+	return out.replaceAll("__WORKSPACE_NAME__", () => params.workspaceName).replaceAll("__ENVIRONMENT__", () => environment).replaceAll("__PM_EXEC__", () => execPrefix[packageManager]);
+}
+function setupIds(job, packageManager) {
+	return setupStepIds[packageManager].map((id) => `${job}/${id}`);
+}
 /**
-* Render the deploy workflow YAML.
+* Render the branch-target deploy workflow.
 *
-* Generates a workflow that calls the composite deploy action
-* from tailor-platform/actions. The environment setup steps (Node.js,
-* package manager, dependency install) are generated based on the
-* detected package manager.
+* When `plan` is false the plan job, the pull_request trigger, and the
+* workflow_dispatch dry-run input are all removed (a plan-less workflow has no
+* meaningful dry-run), and the deploy job runs unconditionally.
+* @param params - Workspace and rendering configuration
+* @returns Rendered YAML and the list of managed job/step ids
+*/
+function renderBranchWorkflow(params) {
+	const { branch, plan, packageManager } = params;
+	let out = branch_workflow_default;
+	out = block(out, "PLAN_JOB", plan);
+	out = block(out, "PULL_REQUEST", plan);
+	out = block(out, "DISPATCH_INPUTS", plan);
+	out = line(out, "DEPLOY_IF", plan ? `if: >-\n  github.event_name == 'push' ||\n  (github.event_name == 'workflow_dispatch' && !inputs['dry-run'])` : void 0);
+	out = line(out, "PATHS", params.workingDirectory ? `paths: ["${params.workingDirectory}/**"]` : void 0);
+	out = applyCommon(out, params).replaceAll("__BRANCH__", () => branch);
+	const generatedIds = [];
+	if (plan) generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan");
+	generatedIds.push("tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-apply");
+	return {
+		content: out,
+		generatedIds
+	};
+}
+/**
+* Render the tag-target deploy workflow.
 *
-* If withPlan is true, also includes a plan job that runs on pull requests.
-* Otherwise, the plan job section delimited by __PLAN_JOB_START__ /
-* __PLAN_JOB_END__ markers is stripped from the template.
-* @param params - Workspace and deployment configuration
-* @returns Workflow YAML content
+* When `branch` is set, a tag-reachability guard job is generated and the plan
+* job gates on it; otherwise no guard is emitted and tags deploy unconditionally.
+* @param params - Workspace and rendering configuration
+* @returns Rendered YAML and the list of managed job/step ids
 */
-function renderDeploy(params) {
-	const { workspaceName, workspaceRegion, organizationId, folderId, workingDirectory, packageManager, withPlan } = params;
-	const workingDirectoryLine = workingDirectory ? `          working-directory: ${workingDirectory}\n` : "";
-	const stripPlanSection = (content) => withPlan ? content.replace(/^ *# __PLAN_JOB_(?:START|END)__\n/gm, "") : content.replace(/^ *# __PLAN_JOB_START__\n[\s\S]*?^ *# __PLAN_JOB_END__\n/m, "");
-	return stripPlanSection(deploy_workflow_default).replaceAll("__WORKSPACE_NAME__", () => workspaceName).replaceAll("__WORKSPACE_REGION__", () => workspaceRegion).replaceAll("__ORGANIZATION_ID__", () => organizationId).replaceAll("__FOLDER_ID__", () => folderId).replace(/ *# __WORKING_DIRECTORY__\n/g, () => workingDirectoryLine).replace(/^ *# __SETUP_STEPS__$/gm, () => indentSnippet(setupSteps[packageManager], 6));
+function renderTagWorkflow(params) {
+	const { tagPattern, branch, packageManager } = params;
+	const hasGuard = branch !== void 0;
+	let out = tag_workflow_default;
+	out = block(out, "TAG_GUARD_JOB", hasGuard);
+	out = line(out, "PLAN_NEEDS", hasGuard ? "needs: tailor-tag-guard" : void 0);
+	out = line(out, "PLAN_IF", hasGuard ? `if: >-\n  github.event_name == 'workflow_dispatch' ||\n  needs.tailor-tag-guard.outputs.on-branch == 'true'` : void 0);
+	out = applyCommon(out, params).replaceAll("__TAG_PATTERN__", () => tagPattern);
+	if (hasGuard) out = out.replaceAll("__BRANCH__", () => branch);
+	const generatedIds = [];
+	if (hasGuard) generatedIds.push("tailor-tag-guard", "tailor-tag-guard/tailor-checkout", "tailor-tag-guard/tailor-tag-guard");
+	generatedIds.push("tailor-plan", "tailor-plan/tailor-checkout", ...setupIds("tailor-plan", packageManager), "tailor-plan/tailor-generate", "tailor-plan/tailor-generate-check", "tailor-plan/tailor-plan", "tailor-deploy", "tailor-deploy/tailor-checkout", ...setupIds("tailor-deploy", packageManager), "tailor-deploy/tailor-apply");
+	return {
+		content: out,
+		generatedIds
+	};
 }
 
 //#endregion
 //#region src/cli/commands/setup/github/github.ts
+async function defaultLoadConfigName(configPath) {
+	const { config } = await loadConfig(configPath);
+	return config.name;
+}
+const WORKSPACE_NAME_RE = /^[a-z0-9-]+$/;
+function validateWorkspaceName(name) {
+	if (name.length < 3 || name.length > 63 || !WORKSPACE_NAME_RE.test(name) || name.startsWith("-") || name.endsWith("-")) throw new Error(`Invalid workspace name "${name}". Names must be 3-63 characters of lowercase letters, numbers, and hyphens, and cannot start or end with a hyphen. Pass a valid name with --workspace-name.`);
+}
+const BRANCH_RE = /^[A-Za-z0-9._/-]+$/;
+const TAG_PATTERN_RE = /^[A-Za-z0-9._/*?![\]-]+$/;
+function validateBranch(branch) {
+	if (!BRANCH_RE.test(branch)) throw new Error(`Invalid branch name "${branch}". Only letters, numbers, ".", "_", "/", and "-" are supported here.`);
+}
+function validateTagPattern(pattern) {
+	if (!TAG_PATTERN_RE.test(pattern)) throw new Error(`Invalid tag pattern "${pattern}". Only letters, numbers, ".", "_", "/", "-", and the glob characters "*?![]" are supported.`);
+}
+const ENVIRONMENT_RE = /^[A-Za-z0-9._/-]+$/;
+function validateEnvironment(environment) {
+	if (!ENVIRONMENT_RE.test(environment)) throw new Error(`Invalid environment name "${environment}". Only letters, numbers, ".", "_", "/", and "-" are supported.`);
+}
+const DIR_RE = /^[A-Za-z0-9._/-]+$/;
+function validateDir(dir) {
+	if (!DIR_RE.test(dir)) throw new Error(`Invalid --dir "${dir}". Only letters, numbers, ".", "_", "/", and "-" are supported.`);
+}
+function escapesRoot(rel) {
+	return rel === ".." || rel.startsWith(`..${path.sep}`) || rel.startsWith("../") || path.isAbsolute(rel);
+}
 /**
-* Build the list of GitHub Actions files to generate.
-* @param options - Setup options including workspace config and output directory
-* @returns Array of files with paths and rendered content
+* Resolve the config file path for the given app directory.
+*
+* `--dir` must stay inside the repository: the value is embedded in workflow
+* `paths:` filters and the config under it gets mutated (id injection), so
+* absolute paths and `..` traversal are rejected.
+* @param outputDir - Repository root (cwd)
+* @param dir - App directory relative to the repo root
+* @returns Absolute path to tailor.config.ts
 */
-function buildFiles(options) {
-	const githubDir = path.join(options.outputDir, ".github");
+function resolveConfigPath(outputDir, dir) {
+	const appDir = path.resolve(outputDir, dir);
+	const rel = path.relative(outputDir, appDir);
+	if (path.isAbsolute(dir) || escapesRoot(rel)) throw new Error(`--dir must be a relative path inside the repository (got "${dir}").`);
+	if (fs$1.existsSync(appDir)) {
+		const realAppDir = path.normalize(fs$1.realpathSync(appDir));
+		const realOutputDir = path.normalize(fs$1.realpathSync(outputDir));
+		if (escapesRoot(path.relative(realOutputDir, realAppDir))) throw new Error(`--dir must resolve to a directory inside the repository (got "${dir}", which links outside it).`);
+	}
+	const configPath = path.join(appDir, "tailor.config.ts");
+	if (!fs$1.existsSync(configPath)) throw new Error(`tailor.config.ts not found at ${configPath}. Run this from your SDK project root, or pass the app directory with --dir.`);
+	return configPath;
+}
+/**
+* Resolve all derived values and render the workflow content.
+* @param options - Setup options
+* @returns Resolved target metadata and rendered content
+*/
+async function resolve$1(options) {
+	if (options.tag && !options.plan) throw new Error("--no-plan cannot be combined with --tag (tag targets always run plan before deploy). Drop --no-plan or use a branch target.");
+	const dir = options.dir.replaceAll("\\", "/").replace(/\/{2,}/g, "/").replace(/^\.\//, "").replace(/\/$/, "") || ".";
+	validateDir(dir);
+	const workingDirectory = dir !== "." ? dir : void 0;
+	const configPath = resolveConfigPath(options.outputDir, dir);
+	const loadName = options.loadConfigName ?? defaultLoadConfigName;
+	const workspaceName = options.workspaceName ?? await loadName(configPath);
+	if (!workspaceName) throw new Error("Could not determine the workspace name. Pass --workspace-name, or set 'name' in tailor.config.ts.");
+	validateWorkspaceName(workspaceName);
+	const kind = options.tag ? "tag" : "branch";
 	const packageManager = detectPackageManager(options.outputDir);
-	const workingDirectory = options.dir !== "." ? options.dir : void 0;
-	return [{
-		path: path.join(githubDir, `workflows/tailor-${options.workspaceName}.yml`),
-		content: renderDeploy({
-			workspaceName: options.workspaceName,
-			workspaceRegion: options.workspaceRegion,
-			organizationId: options.organizationId,
-			folderId: options.folderId,
+	const environment = options.environment ?? workspaceName;
+	validateEnvironment(environment);
+	if (kind === "tag") validateTagPattern(options.tagPattern);
+	let branch = null;
+	let render;
+	if (kind === "branch") {
+		branch = options.branch ?? detectDefaultBranch(options.outputDir, options.gitRunner);
+		validateBranch(branch);
+		render = renderBranchWorkflow({
+			workspaceName,
+			branch,
 			workingDirectory,
+			environment,
 			packageManager,
-			withPlan: options.withPlan
-		})
-	}];
+			plan: options.plan
+		});
+	} else {
+		branch = options.branch ?? null;
+		if (branch !== null) validateBranch(branch);
+		render = renderTagWorkflow({
+			workspaceName,
+			tagPattern: options.tagPattern,
+			branch: options.branch,
+			workingDirectory,
+			environment,
+			packageManager
+		});
+	}
+	const file = `.github/workflows/tailor-${workspaceName}.yml`;
+	const inputs = {
+		branch,
+		tagPattern: kind === "tag" ? options.tagPattern : null,
+		environment,
+		dir,
+		packageManager,
+		plan: kind === "branch" ? options.plan : true
+	};
+	return {
+		kind,
+		workspaceName,
+		branch,
+		environment,
+		packageManager,
+		render,
+		inputs,
+		file,
+		configPath
+	};
 }
 /**
-* Write files to disk, skipping any that already exist.
-* @param files - Files to write
-* @returns Result with lists of written and skipped file paths
+* Decide how to reconcile a target with the on-disk file and lock state.
+* @param obj - Decision inputs
+* @param obj.existing - The matching lock target, if any
+* @param obj.fileExists - Whether the workflow file is present on disk
+* @param obj.currentContent - On-disk content when present
+* @param obj.force - Whether --force was passed
+* @returns The reconciliation action
 */
-function writeFiles(files) {
-	const written = [];
-	const skipped = [];
-	for (const file of files) {
-		if (fs$1.existsSync(file.path)) {
-			skipped.push(file.path);
-			continue;
-		}
-		fs$1.mkdirSync(path.dirname(file.path), { recursive: true });
-		fs$1.writeFileSync(file.path, file.content);
-		written.push(file.path);
+function decideAction(obj) {
+	const { existing, fileExists, currentContent, force } = obj;
+	if (!existing) {
+		if (!fileExists) return { action: "create" };
+		if (force) return { action: "regenerate" };
+		return {
+			action: "conflict",
+			reason: "An unmanaged workflow file already exists at this path. Delete it, or pass --force to bring it under SDK management (this overwrites it)."
+		};
 	}
+	if (!fileExists) return { action: "restore" };
+	if (currentContent !== null && hashContent(currentContent) === existing.contentHash) return { action: "regenerate" };
+	if (force) return { action: "regenerate" };
 	return {
-		written,
-		skipped
+		action: "conflict",
+		reason: "This workflow file has been edited by hand since it was generated. Re-run with --force to discard those edits and regenerate, or revert your changes."
 	};
 }
 /**
-* Generate GitHub Actions workflow files and print next steps.
-* @param options - Setup options including workspace config and output directory
+* Guard against two targets of different kinds colliding on the same file path.
+* @param obj - Conflict inputs
+* @param obj.lock - Existing lock file, or null
+* @param obj.kind - Target kind being generated
+* @param obj.workspaceName - Workspace name being generated
+* @param obj.file - Target file path
 */
-function setupGitHub(options) {
-	logBetaWarning("setup github");
-	const result = writeFiles(buildFiles(options));
-	for (const filePath of result.written) {
-		const relativePath = path.relative(options.outputDir, filePath);
-		logger.success(`Generated ${styles.path(relativePath)}`);
-	}
-	for (const filePath of result.skipped) {
-		const relativePath = path.relative(options.outputDir, filePath);
-		logger.warn(`Skipped ${styles.path(relativePath)} (already exists)`);
-	}
+function assertNoKindCollision(obj) {
+	const { lock, kind, workspaceName, file } = obj;
+	const collision = lock?.targets.find((t) => t.file === file && !(t.kind === kind && t.workspaceName === workspaceName));
+	if (collision) throw new Error(`A ${collision.kind} target already owns ${file}, which conflicts with this ${kind} target. Pass a different name with --workspace-name to generate a separate workflow.`);
+}
+/**
+* Print next-step guidance after generating workflow files.
+* @param obj - Output context
+* @param obj.environment - Resolved GitHub Environment name for this target
+* @param obj.idInjected - Whether an app id was injected into the config
+*/
+function printNextSteps(obj) {
+	const { environment, idInjected } = obj;
 	logger.newline();
-	logger.info("Next steps - set GitHub secrets:");
-	logger.log(`  gh secret set PLATFORM_MACHINE_USER_CLIENT_ID`);
-	logger.log(`  gh secret set PLATFORM_MACHINE_USER_CLIENT_SECRET`);
-	if (options.withPlan) {
-		logger.newline();
-		logger.info("For plan job - set GitHub variable with your workspace ID:");
-		logger.log(`  gh variable set TAILOR_PLATFORM_WORKSPACE_ID`);
-	}
+	logger.info("Next steps:");
+	logger.newline();
+	logger.log(`1. Set the machine-user credentials as secrets on the "${environment}" environment:`);
+	logger.log(`   gh secret set TAILOR_PLATFORM_MACHINE_USER_CLIENT_ID --env ${environment}`);
+	logger.log(`   gh secret set TAILOR_PLATFORM_MACHINE_USER_CLIENT_SECRET --env ${environment}`);
+	logger.newline();
+	logger.log(`2. Provision the workspace and set its id as the TAILOR_PLATFORM_WORKSPACE_ID variable on the "${environment}" environment:`);
+	logger.log("   tailor-sdk workspace create   # if it does not exist yet; copy the id");
+	logger.log(`   gh variable set TAILOR_PLATFORM_WORKSPACE_ID --env ${environment}`);
+	logger.newline();
+	logger.log("3. Commit the generated files:");
+	logger.log("   - .github/workflows/tailor-*.yml");
+	logger.log("   - .github/tailor-sdk.lock");
+	if (idInjected) logger.log("   - tailor.config.ts (app id was added)");
+}
+/**
+* Generate the GitHub Actions workflow for a deploy target and reconcile it
+* with the lock file.
+* @param options - Setup options
+*/
+async function setupGitHub(options) {
+	logBetaWarning("setup github");
+	const resolved = await resolve$1(options);
+	const lock = readLock(options.outputDir);
+	const absFile = path.join(options.outputDir, resolved.file);
+	assertNoKindCollision({
+		lock,
+		kind: resolved.kind,
+		workspaceName: resolved.workspaceName,
+		file: resolved.file
+	});
+	const existing = findTarget(lock, resolved.kind, resolved.workspaceName);
+	const fileExists = fs$1.existsSync(absFile);
+	const decision = decideAction({
+		existing,
+		fileExists,
+		currentContent: fileExists ? fs$1.readFileSync(absFile, "utf-8") : null,
+		force: options.force
+	});
+	if (decision.action === "conflict") throw new Error(`${resolved.file}: ${decision.reason}`);
+	const idResult = await ensureConfigId(resolved.configPath);
+	if (idResult === null) logger.warn("Could not find a defineConfig() call to confirm an app id. The CI deploy will fail unless your config resolves to one with an 'id'.");
+	const idInjected = idResult?.injected ?? false;
+	fs$1.mkdirSync(path.dirname(absFile), { recursive: true });
+	fs$1.writeFileSync(absFile, resolved.render.content, "utf-8");
+	const newTarget = {
+		kind: resolved.kind,
+		workspaceName: resolved.workspaceName,
+		file: resolved.file,
+		templateVersion: 1,
+		inputs: resolved.inputs,
+		generatedIds: resolved.render.generatedIds,
+		ejectedIds: existing?.ejectedIds ?? [],
+		contentHash: hashContent(resolved.render.content)
+	};
+	const targets = [...lock?.targets ?? []];
+	const index = targets.findIndex((t) => t.kind === newTarget.kind && t.workspaceName === newTarget.workspaceName);
+	if (index === -1) targets.push(newTarget);
+	else targets[index] = newTarget;
+	writeLock(options.outputDir, {
+		version: 1,
+		targets
+	});
+	if (decision.action === "restore") logger.success(`Regenerated ${styles.path(resolved.file)} (was missing on disk)`);
+	else if (decision.action === "regenerate") logger.success(`Regenerated ${styles.path(resolved.file)}`);
+	else logger.success(`Generated ${styles.path(resolved.file)}`);
+	printNextSteps({
+		environment: resolved.environment,
+		idInjected
+	});
 }
 
 //#endregion
 //#region src/cli/commands/setup/github/index.ts
 const githubCommand = defineAppCommand({
 	name: "github",
-	description: "Generate GitHub Actions workflow for deployment. (beta)",
+	description: "Generate a GitHub Actions deploy workflow. (beta)",
 	args: z.object({
-		"workspace-name": arg(z.string(), {
+		"workspace-name": arg(z.string().min(1).optional(), {
 			alias: "n",
-			description: "Workspace name"
+			description: "Workspace name (defaults to the config 'name')"
 		}),
-		"workspace-region": arg(z.string(), {
-			alias: "r",
-			description: "Workspace region"
-		}),
-		"organization-id": arg(z.string(), {
-			alias: "o",
-			description: "Organization ID"
-		}),
-		"folder-id": arg(z.string(), {
-			alias: "f",
-			description: "Folder ID"
-		}),
-		dir: arg(z.string().default("."), {
+		branch: arg(z.string().min(1).optional(), { description: "Branch target: deploy trigger branch (defaults to the detected default branch). Tag target: tag-reachability guard branch (no guard when omitted)" }),
+		tag: arg(z.boolean().default(false), { description: "Generate a tag target (deploy on tag push)" }),
+		"tag-pattern": arg(z.string().min(1).optional(), { description: "Tag glob to match (requires --tag; defaults to v*)" }),
+		environment: arg(z.string().min(1).optional(), { description: "GitHub Environment for the plan/deploy jobs (defaults to the workspace name)" }),
+		"no-plan": arg(z.boolean().default(false), { description: "Disable the plan job for a branch target (cannot be combined with --tag)" }),
+		dir: arg(z.string().min(1).default("."), {
 			alias: "d",
 			description: "App directory (for monorepo setups)"
 		}),
-		"with-plan": arg(z.boolean().default(false), {
-			alias: "p",
-			description: "Include plan job for PR previews"
-		})
+		force: arg(z.boolean().default(false), { description: "Discard hand edits / take over unmanaged files and regenerate" })
 	}).strict(),
-	run: (args) => {
-		setupGitHub({
+	run: async (args) => {
+		if (args["tag-pattern"] !== void 0 && !args.tag) throw new Error("--tag-pattern requires --tag.");
+		if (args["no-plan"] && args.tag) throw new Error("--no-plan cannot be combined with --tag.");
+		await setupGitHub({
 			workspaceName: args["workspace-name"],
-			workspaceRegion: args["workspace-region"],
-			organizationId: args["organization-id"],
-			folderId: args["folder-id"],
+			branch: args.branch,
+			tag: args.tag,
+			tagPattern: args["tag-pattern"] ?? "v*",
+			environment: args.environment,
+			plan: !args["no-plan"],
 			dir: args.dir,
-			outputDir: process.cwd(),
-			withPlan: args["with-plan"]
+			force: args.force,
+			outputDir: process.cwd()
 		});
 	}
 });
@@ -3323,7 +3707,7 @@ const CLEAN_ROOM_NOTES = [
 	"It does not copy Liam source code, generated JavaScript/CSS, parser internals, or layout internals."
 ];
 function buildRevision(schema) {
-	return hashContent(JSON.stringify(schema)).slice(0, 16);
+	return hashContent$1(JSON.stringify(schema)).slice(0, 16);
 }
 function toTypeSource(source) {
 	if (!source) return void 0;
@@ -4423,7 +4807,7 @@ async function fetchRemoteTypes(client, workspaceId, namespace) {
 async function assertMigrationsReproduceLocalTypes(loaded, target) {
 	const { config, plugins } = loaded;
 	const pluginManager = plugins.length > 0 ? new PluginManager(plugins) : void 0;
-	const { defineApplication, generatePluginFilesIfNeeded } = await import("../application-DSXntqnV.mjs");
+	const { defineApplication, generatePluginFilesIfNeeded } = await import("../application-av2raLs6.mjs");
 	const application = defineApplication({
 		config,
 		pluginManager